Microsoft recently announced that their Ignite (online only) conference will be running again on November 2-4. That means we are approaching peak season for announcements, new public preview releases, and general availability. “Q3” in announcements and roadmaps will often mean between early September and maybe the third week of October – a code freeze will probably kick in to avoid instabilities during live demonstrations – if the past is a good guide.
I guess the worst kind of “supply chain” attack is one that comes via functionality rendered by your cloud services provider. Wiz disclosed a “quartet of zero-days” (vulnerabilities) on September 14th. Since then, there’s been update after update and news story after news story about possible attacks to Linux-based workloads via an Open Management Infrastructure (OMI) agent if they use management features including (but not limited to):
Those of you running a secure Azure network (limited public IP addresses and micro-segmentation) are probably OK – OMI listens on ports such as 5985, 5986, 1270 – that traffic shouldn’t be allowed from exposed networks!
Apparently, Microsoft ran an auto-update to upgrade the affected agent and that process was due to finish on September 22nd. Since then, Microsoft has shared guidance on how to detect and update affected agents. I would recommend running the detection script – those of you with a SIEM solution might be able to use “threat hunting” to automate this.
Based on the queries I’ve seen/received over the last few weeks, Private Link (typically used to connect PaaS resources to a subnet) is getting more adoption. And with that adoption, people are finding that there are issues.
There have been two feature gaps that are hurting customers that are implementing good network security practices:
There have been two issues with this and Private Link:
Both of those feature gaps have been addressed with limited region public previews:
Everyone wants to go full platform with Active Directory. I’m one of the hold outs that still prefers a good ol’ fashioned VM-based domain controller. But people want to push as much to Azure AD Domain Services, and even Azure AD-only, as much as possible.
To answer that ask, Azure Virtual Desktop now supports virtual machines that are joined only to Azure AD. By the way, one can hold a loaded weapon to one’s own head with the safety off, but that is not typically recommended.
Microsoft has shared some known limitations of this new support:
Let’s not forget Group Policy, a very necessary feature to manage the configurations of these machines, the login experience, and the configuration of the profile, user folders & user settings. And then there’s the sticky topic of legacy third-party software – the migration of which to Azure that is causing you to deploy Azure Virtual Desktop – that will expect to see a traditional domain, but those companies are usually pretty flexible with support – NOT!
My guess is that this new feature is used under the covers by Windows 365 – which is powered by Azure Virtual Desktop – and Microsoft just surfaced Azure AD support for Azure Virtual Desktop customers.
Just in case you missed the very subdued announcement, Windows Server 2022 is now generally available. Once upon a time, I used to gather all the new Hyper-V and related features that I discovered and keep the list on my own blog. Today, I struggle to find much news across the entire operating system.
That’s because Windows Server is just a part of Azure Stack HCI – a hyper-converged Hyper-V/Azure Kubernetes Services cluster designed to run on-premises with possible integration into Azure using Azure Arc. Unlike most of you reading this post, I cannot remember the last time I installed Windows Server – all my Windows machines have come from the Azure Marketplace over the last several years.
A lot of what I have read about as a new Windows Server feature usually ends up being an Azure service, so I don’t really think of it as a Windows Server feature – it’s Marketing playing “look over here at this shiny thing”. But there are new features spanning areas such as: